NotificationsYou must be signed in to change notification settings
Fork4.9k
Star17.7k

Commit40bc4c2

committed

Disable the use of Unicode escapes in string constants (U&'') when

standard_conforming_strings is not on, for security reasons.

1 parent616bceb commit40bc4c2Copy full SHA for 40bc4c2

File tree

4 files changed

+76

-2

lines changed

doc/src/sgml
- syntax.sgml
src
- backend/parser
  - scan.l
- test/regress
  - expected
    - strings.out
  - sql
    - strings.sql

4 files changed

+76

-2

lines changed

`‎doc/src/sgml/syntax.sgml`

Lines changed: 12 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-<!-- $PostgreSQL: pgsql/doc/src/sgml/syntax.sgml,v 1.131 2009/04/27 16:27:36 momjian Exp $ -->`
	`1`	`+<!-- $PostgreSQL: pgsql/doc/src/sgml/syntax.sgml,v 1.132 2009/05/05 18:32:17 petere Exp $ -->`
`2`	`2`
`3`	`3`	`<chapter id="sql-syntax">`
`4`	`4`	`<title>SQL Syntax</title>`
`@@ -499,6 +499,17 @@ U&'d!0061t!+000061' UESCAPE '!'`
`499`	`499`	`specified.`
`500`	`500`	`</para>`
`501`	`501`
	`502`	`+ <para>`
	`503`	`+ Also, the Unicode escape syntax for string constants only works`
	`504`	`+ when the configuration`
	`505`	`+ parameter <xref linkend="guc-standard-conforming-strings"> is`
	`506`	`+ turned on. This is because otherwise this syntax could confuse`
	`507`	`+ clients that parse the SQL statements to the point that it could`
	`508`	`+ lead to SQL injections and similar security issues. If the`
	`509`	`+ parameter is set to off, this syntax will be rejected with an`
	`510`	`+ error message.`
	`511`	`+ </para>`
	`512`	`+`
`502`	`513`	`<para>`
`503`	`514`	`To include the escape character in the string literally, write it`
`504`	`515`	`twice.`

`‎src/backend/parser/scan.l`

Lines changed: 6 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@`
`24`	`24`	`* Portions Copyright (c) 1994, Regents of the University of California`
`25`	`25`	`*`
`26`	`26`	`* IDENTIFICATION`
`27`		`- * $PostgreSQL: pgsql/src/backend/parser/scan.l,v 1.151 2009/04/19 21:08:54 tgl Exp $`
	`27`	`+ * $PostgreSQL: pgsql/src/backend/parser/scan.l,v 1.152 2009/05/05 18:32:17 petere Exp $`
`28`	`28`	`*`
`29`	`29`	`*-------------------------------------------------------------------------`
`30`	`30`	`*/`
`@@ -469,6 +469,11 @@ other.`
`469`	`469`	`startlit();`
`470`	`470`	`}`
`471`	`471`	`{xusstart}{`
	`472`	`+if (!standard_conforming_strings)`
	`473`	`+ereport(ERROR,`
	`474`	`+(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),`
	`475`	`+errmsg("unsafe use of string constant with Unicode escapes"),`
	`476`	`+errdetail("String constants with Unicode escapes cannot be used when standard_conforming_strings is off.")));`
`472`	`477`	`SET_YYLLOC();`
`473`	`478`	`BEGIN(xus);`
`474`	`479`	`startlit();`

`‎src/test/regress/expected/strings.out`

Lines changed: 39 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@ ERROR: syntax error at or near "' - third line'"`
`22`	`22`	`LINE 3: ' - third line'`
`23`	`23`	`^`
`24`	`24`	`-- Unicode escapes`
	`25`	`+SET standard_conforming_strings TO on;`
`25`	`26`	`SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061";`
`26`	`27`	`data`
`27`	`28`	`------`
`@@ -34,6 +35,18 @@ SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d0061t\+000061" UESCAPE '';`
`34`	`35`	`dat\+000061`
`35`	`36`	`(1 row)`
`36`	`37`
	`38`	`+SELECT U&' \' UESCAPE '!' AS "tricky";`
	`39`	`+ tricky`
	`40`	`+--------`
	`41`	`+ \`
	`42`	`+(1 row)`
	`43`	`+`
	`44`	`+SELECT 'tricky' AS U&"\" UESCAPE '!';`
	`45`	`+ \`
	`46`	`+--------`
	`47`	`+ tricky`
	`48`	`+(1 row)`
	`49`	`+`
`37`	`50`	`SELECT U&'wrong: \061';`
`38`	`51`	`ERROR: invalid Unicode escape value at or near "\061'"`
`39`	`52`	`LINE 1: SELECT U&'wrong: \061';`
`@@ -46,6 +59,32 @@ SELECT U&'wrong: +0061' UESCAPE '+';`
`46`	`59`	`ERROR: invalid Unicode escape character at or near "+'"`
`47`	`60`	`LINE 1: SELECT U&'wrong: +0061' UESCAPE '+';`
`48`	`61`	`^`
	`62`	`+SET standard_conforming_strings TO off;`
	`63`	`+SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061";`
	`64`	`+ERROR: unsafe use of string constant with Unicode escapes`
	`65`	`+DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.`
	`66`	`+SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d0061t\+000061" UESCAPE '';`
	`67`	`+ERROR: unsafe use of string constant with Unicode escapes`
	`68`	`+DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.`
	`69`	`+SELECT U&' \' UESCAPE '!' AS "tricky";`
	`70`	`+ERROR: unsafe use of string constant with Unicode escapes`
	`71`	`+DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.`
	`72`	`+SELECT 'tricky' AS U&"\" UESCAPE '!';`
	`73`	`+ \`
	`74`	`+--------`
	`75`	`+ tricky`
	`76`	`+(1 row)`
	`77`	`+`
	`78`	`+SELECT U&'wrong: \061';`
	`79`	`+ERROR: unsafe use of string constant with Unicode escapes`
	`80`	`+DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.`
	`81`	`+SELECT U&'wrong: \+0061';`
	`82`	`+ERROR: unsafe use of string constant with Unicode escapes`
	`83`	`+DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.`
	`84`	`+SELECT U&'wrong: +0061' UESCAPE '+';`
	`85`	`+ERROR: unsafe use of string constant with Unicode escapes`
	`86`	`+DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.`
	`87`	`+RESET standard_conforming_strings;`
`49`	`88`	`--`
`50`	`89`	`-- test conversions between various string types`
`51`	`90`	`-- E021-10 implicit casting among the character data types`

`‎src/test/regress/sql/strings.sql`

Lines changed: 19 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -17,13 +17,32 @@ SELECT 'first line'`
`17`	`17`	`AS"Illegal comment within continuation";`
`18`	`18`
`19`	`19`	`-- Unicode escapes`
	`20`	`+SET standard_conforming_strings TOon;`
	`21`	`+`
	`22`	`+SELECT U&'d\0061t\+000061'AS U&"d\0061t\+000061";`
	`23`	`+SELECT U&'d!0061t\+000061' UESCAPE'!'AS U&"d0061t\+000061" UESCAPE'';`
	`24`	`+`
	`25`	`+SELECT U&'\' UESCAPE'!' AS "tricky";`
	`26`	`+SELECT'tricky' AS U&"\" UESCAPE'!';`
	`27`	`+`
	`28`	`+SELECT U&'wrong: \061';`
	`29`	`+SELECT U&'wrong: \+0061';`
	`30`	`+SELECT U&'wrong:+0061' UESCAPE'+';`
	`31`	`+`
	`32`	`+SET standard_conforming_strings TO off;`
	`33`	`+`
`20`	`34`	`SELECT U&'d\0061t\+000061' AS U&"d\0061t\+000061";`
`21`	`35`	`SELECT U&'d!0061t\+000061' UESCAPE'!' AS U&"d0061t\+000061" UESCAPE'';`
`22`	`36`
	`37`	`+SELECT U&' \' UESCAPE'!' AS "tricky";`
	`38`	`+SELECT'tricky' AS U&"\" UESCAPE'!';`
	`39`	`+`
`23`	`40`	`SELECT U&'wrong: \061';`
`24`	`41`	`SELECT U&'wrong: \+0061';`
`25`	`42`	`SELECT U&'wrong:+0061' UESCAPE'+';`
`26`	`43`
	`44`	`+RESET standard_conforming_strings;`
	`45`	`+`
`27`	`46`	`--`
`28`	`47`	`-- test conversions between various string types`
`29`	`48`	`-- E021-10 implicit casting among the character data types`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit40bc4c2

File tree

4 files changed

4 files changed

`‎doc/src/sgml/syntax.sgml`

`‎src/backend/parser/scan.l`

`‎src/test/regress/expected/strings.out`

`‎src/test/regress/sql/strings.sql`

0 commit comments